from the who's-fronting-now? dept

Just as places like Russia are getting more aggressive with companies like Google and Amazon in seeking to stop online communications they can't monitor, Google made a move that really fucked over a ton of people who rely on anti-censorship tools. For years, various anti-censorship tools from Tor to GreatFire to Signal have made use of "domain fronting." That's a process by which services could get around censorship by effectively appearing to send traffic via large companies' sites, such as Google's. The link above describes the process as follows:

Domain fronting
works at the application layer, using HTTPS, to communicate
with a forbidden host while appearing to communicate
with some other host, permitted by the censor.
The key idea is the use of different domain names at
different layers of communication. One domain appears
on the “outside” of an HTTPS request—in the DNS request
and TLS Server Name Indication—while another
domain appears on the “inside”—in the HTTP Host
header, invisible to the censor under HTTPS encryption.
A censor, unable to distinguish fronted and nonfronted
traffic to a domain, must choose between allowing
circumvention traffic and blocking the domain entirely,
which results in expensive collateral damage. Domain
fronting is easy to deploy and use and does not require
special cooperation by network intermediaries. We
identify a number of hard-to-block web services, such as
content delivery networks, that support domain-fronted
connections and are useful for censorship circumvention.
Domain fronting, in various forms, is now a circumvention
workhorse.

In short, because most countries are reluctant to block all of Google, the ability to use Google for domain fronting was incredibly useful in getting around censorship. And now it's gone. Google claims that it never officially supported it, that this was a result of a planned update, and it has no intention of bringing it back:

“Domain fronting has never been a supported feature at Google,” a company representative said, “but until recently it worked because of a quirk of our software stack. We’re constantly evolving our network, and as part of a planned software update, domain fronting no longer works. We don’t have any plans to offer it as a feature.”

“As a repository and organizer of the world’s information, Google sees the power of access to knowledge. Likewise, the company understands the many ingenious ways that people evade censors by piggybacking on its networks and services. There’s no ignorance excuse here: Google knows this block will levy immediate, adverse effects on human rights defenders, journalists, and others struggling to reach the open internet,” said Peter Micek, General Counsel at Access Now. “To issue this decision with a shrug of the shoulders, disclaiming responsibility, damages the company’s reputation and further fragments trust online broadly, for the foreseeable future.”

“Google has long claimed to support internet freedom around the world, and in many ways the company has been true to its beliefs. Allowing domain fronting has meant that potentially millions of people have been able to experience a freer internet and enjoy their human rights. We urge Google to remember its commitment to human rights and internet freedom and allow domain fronting to continue,” added Nathan White, Senior Legislative Manager at Access Now.

Google doesn't need to support domain fronting, and there are reasonable business reasons for not doing so. But... there are also strong human rights reasons why the company should reconsider. In the past, Google has taken principled stands on human rights. This is another time that it should seriously consider doing so.

from the spray-and-pray(ers-for-relief) dept

Copyright trolls still labor under the (deliberate) misconception that an IP address is a person. Sometimes judges allow it. Sometimes judges remind them not to conflate the two. And sometimes -- well, maybe just this once -- the IP address being sued is actually a Tor exit node, evidence of nothing. (h/t Raul)

In an opinion handed down by Judge Michael Simon, the person Dallas Buyers Club is suing for infringement will be subject to adverse jury instructions thanks to the Tor exit node DBC sued. The order refers to alleged evidence spoliation by the defendant, who shut down his exit node after being sued. The defendant has (correctly) pointed out "Evidence of what?" because it's highly unlikely his node would cough up any usable identifying information about infringers utilizing the node.

All DBC had was an IP address, and it wasn't linked to the defendant -- at least not in terms of it being his personal computer.

The internet protocol ("IP") address identified by Plaintiff as infringing on Plaintiff's movie is an IP address associated with a one of Defendant's servers. Defendant operated this server as a virtual machine ("VM"). Using VM technology, Defendant migrated information from his old multiple servers onto two servers operating as VMs. One of these is the physical machine associated with the allegedly infringing IP address ("Infringing Machine").

On the Infringing Machine, Defendant installed Tor Network software and created a "Tor Node," which facilitates use of the Tor Network by end users by routing information through Defendant's machine. Also on this machine were VMs for two email servers. The Infringing Machine had two hard drives, which were mirrored. Defendant did not use the Infringing Machine as a personal computer and did not attach any personal computer to this machine. The Infringing Machine was located on a server rack.

It wasn't until 10 months after the original filing that DBC finally submitted an amended complaint actually naming a human defendant (along with his business "Integrity Computer Services"). Prior to being served himself, the defendant learned of the lawsuit and participated in some discovery conferences. At two points between the lawsuit's filing and his appearance at the conferences, the defendant attempted to fix his malfunctioning RAID system by deploying a utility that basically wiped everything off the drives. He left the Tor node running and moved anything related to his personal business off the server.

DBC claimed this was done to destroy evidence. The defendant countered, explaining it was highly unlikely a Tor exit node would produce usable information. (He had also offered to shut down the node to "amicably resolve" the lawsuit by ending the alleged infringement his node was supposedly "allowing" to happen.)

The Court finds credible Defendant's statements that he genuinely believed that his hard drives would not contain any information that would identify or provide relevant data relating to the alleged infringement, based on his understanding of how Tor Nodes operate. Defendant explained his understanding and the basis for it in detail.

The Court also finds instructive the unique facts of this case. The Infringing Machine was not a personal computer from which all data was wiped with after-market software. The Infringing Machine was a Tor Node that routed information for other end users around the world. As Defendant points out, it is questionable that he had a motive to deceive the Court by wiping information that may or may not have identified some unknown user somewhere in the world.

Despite this, the court has decided to sanction the defendant for not preserving what may have been completely useless data. It won't go as far as DBC wants it to (the troll asked for a default judgment in its favor) but it won't help the defendant much if this case goes to trial.

Accordingly, the Court orders that the jury shall be instructed as follows:

Defendant John Huszar has failed to preserve computer hard drives that may have contained evidence relevant to this case. You may presume that the lost evidence was favorable to Plaintiff. Whether this finding is important to you in reaching a verdict in this case is for you to decide.

A partial win for the speculative invoicing team at DBC. If this case goes to trial, the defendant starts with a strike against him when the jury goes to deliberate. Perhaps the jury will see the case for what it is: a copyright troll suing a Tor exit node because it can't be bothered to go after those actually committing infringement. Then again, the discussion of RAID controllers, IP address-cloaking efforts, and other technical details may become "evidence" the defendant had "something to hide." "Normal" computer users don't run Tor exit nodes or multiple servers, and when the facts seem weird and ungainly, they tend to work against the person deploying them.

from the press-'play'-to-decloak dept

HackerHouse have been investigating social engineering attacks performed with Digital Rights Management (DRM) protected media content. Attackers have been performing these attacks in the wild to spread fake codec installers since Microsoft introduced DRM to it’s proprietary media formats.

Improperly-licensed media files will produce a pop-up, asking the user if they want to visit the originating site to obtain the rights to play the file. This popup also warns users that this is great way to pick up malware if they're not careful. In these cases, computer users will likely be deterred from following through on the risky click.

But that only happens if it's not licensed properly. If it is -- an expensive process that runs about $10,000 -- then no warning appears, leaving users open to attack by malicious fake codec installers. What would be the point of these fake installers? One possible use for the exploitation of Windows DRM is the exposure of Tor users' information.

As these “signed WMV” files do not present any alert to a user before opening them they can be used quite effectively to decloak users of the popular privacy tool TorBrowser with very little warning. For such an attack to work your target candidate must be running TorBrowser on Windows. When opening/downloading files, TorBrowser does warn you that 3rd party files can expose your IP address and should be accessed in tails.

The $10k price tag for proper licensing is a deterrent to small-time malware purveyors. But it would only be a drop in the bucket for a well-funded government agency and/or any NGOs they employ. It's basically the Network Investigative Technique the FBI deployed in the Playpen cases -- only one able to be buried inside media files which could be scattered around like mini-honeypots.

The DRM-based attack certainly wouldn't be limited to law enforcement agencies. It would also be deployed by spy agencies for use against terrorists (who love to share media files) and, unfortunately, by governments every bit as malicious as the software they're deploying. The exploit could just as easily be deployed to target dissidents, journalists, and other "enemies of the state" through booby-trapped, DRM-laden files that strip away anonymity while delivering information these entities might find intriguing/useful.

Underneath it all is Microsoft's apparently misplaced faith in properly-signed media files put together with its development kits. Rather than warn users that the redirect to the codec installer may still be risky despite the proper signature, Windows will automatically open a new browser instance and download the file with no further user interaction.

from the keeping-the-public-at-arm's-length dept

The ACLU would like to take a closer look at the government's activities regarding its seizure of Freedom Hosting back in 2013. To date, the docket remains sealed -- as is the case in far too many DOJ prosecutions. In this case, the FBI basically took over Freedom Hosting to serve up its Network Investigative Tool to unmask anonymous Tor users.

The difference between this and its more recent NIT deployment in the Playpen child porn case is that many of those exposed by the malware weren't suspected of any wrongdoing. While letting the exploit run its course, the FBI also helped itself to TorMail's email database, later acquiring a warrant to access the contents of the seized communications.

The ACLU would like to take a look at the warrant authorizing the NIT deployment, especially in light of recent Playpen prosecutions where federal judges have found the warrant used invalid. But the first step is unlocking the docket itself, which remains blocked from public view. Joseph Cox of Motherboard was the first to report on the ACLU's recent filing.

The Washington Post recently confirmed that the FBI used a “network investigative technique” or NIT—the agency's term for a hacking tool—on the TorMail site. According to the article, the FBI had obtained a warrant to hack the owners of certain email accounts suspected of being involved in child pornography, and anonymous sources claimed that, with this approach, only suspects who had been linked to child pornography would be hacked.

But journalists, dissidents, and other individuals used TorMail too, and it seems that the error page was presented to every TorMail user—raising questions about how broad the operation really was.

“That the FBI engaged in a bulk hacking operation against all visitors to TorMail, which had many lawful, valid uses, raises serious concerns about the appropriateness of bulk hacking, and the extents to which courts should be authorizing and supervising such operations,” reads the motion to unseal the docket, which was written by ACLU attorneys Brett Kaufman, Nathan Wessler, and David Rocah and filed last week.

As the ACLU points out in its filing [PDF], the public should be apprised of the details of questionable actions taken by the FBI -- especially the contents of the warrant supposedly authorizing the bulk distribution of malware to Tor users who weren't suspects in criminal investigations.

Even if the government were to argue that unsealing the docket and the contents of the warrant would negatively affect future investigations/prosecutions (and it surely will argue this…), the court shouldn't find that assertion particularly compelling. From the motion to unseal:

Once the First Amendment right of access attaches, the burden to overcome it “rests on the party seeking to restrict access, and that party must present specific reasons in support of its position.” Access may only be denied if the party can demonstrate a “compelling governmental interest” in support of closure and prove that closure is “narrowly tailored to serve that interest.”

There is, to be sure, a legitimate governmental interest in protecting the integrity of an ongoing investigation. As the Fourth Circuit has recognized, however, “it is not enough simply to assert this general principle without providing specific underlying reasons for the district court to understand how the integrity of the investigation reasonably could be affected by the release of [the] information [sought].”

[...]

The malware warrant in question here was issued by this Court in mid-2013, and by the end of 2014 the sole prosecution known to the ACLU to have resulted from it had already been resolved. See Klein Press Release. The existence of the malware operation, moreover, has been officially acknowledged by the FBI. 2013 Pouslen Article. Thus, “the genie is out of the bottle” with respect to information the government may have once had a legitimate interest in protecting.

What remains secret, however, is the very “index” to the proceedings that authorized the deployment of malware. Perversely, then, the public is aware of the investigation’s existence, and experts have even been able to analyze the malware used by the government, but the most basic details regarding the circumstances under which this operation was judicially authorized remain hidden. The public has a vital interest in knowing this information, which would greatly contribute to the ongoing public debate about the use of malware by law enforcement, and the government has no legitimate interest in keeping it secret.

The deployment of malware by a law enforcement agency -- a deployment that affected website visitors from around the world -- using a single warrant issued by a single judge is something that has never specifically been addressed by legislators. When cases like this arrive, the DOJ is quick to point out that the lack of a specific legislative permission slip should be construed as a lack of definitive "no," rather than a suggestion the agency shouldn't allow its reach to extend its statutory grasp.

But despite having the permanent ear of many sympathetic legislators, the FBI has never sought to codify its questionable hacking tactics. The closest it's come is the proposed Rule 41 changes, which would allow the agency to obtain a search warrant from the most accommodating magistrate judges and deploy them in jurisdictions where permission might not be so easily obtained.

As the ACLU points out, the FBI's refusal to discuss this openly with legislators is being aided and abetted by courts far too willing to lock up any supposedly public documents the DOJ feels the public -- including legislators -- shouldn't be able to access.

“The breadth and potency of malware as a law-enforcement tool raises concerns that can only be properly debated if legislators and the general public are aware of instances in which it is being used, the ways in which law enforcement seeks to use it, and the extent of judicial supervision,” the motion reads. “The sealing of docket sheets with warrants authorizing the use of malware prevents this critical public debate from happening, in violation of the public’s right of access.”

Allowing the government to maintain this secrecy only encourages further abuse of existing statutes. The longer secrets can be protected, the longer the FBI can use questionable methods backed by even more questionable legal authority. The DOJ's insistence on secrecy in all things tech-related has led it to directly encourage parallel construction, order prosecutors to drop cases rather than reveal means and methods, and basically turn normal law enforcement into Black Ops: Domestic Edition.

Polish authorities have requested British law enforcement to interrogate the node operator because of a 2014 forum post supposedly insulting the ex-mayor of a small Polish town; apparently an illegal act in Poland.

Specifically:

A letter from the District Public Prosecutor's Office in Bialystok, Poland, to the UK Home Office points to Article 212, paragraph 2 of the Polish Penal Code, which says, in sum, that characterising someone else in such a way that might "degrade them in public opinion or expose them to the loss of confidence necessary to occupy a given position […] is subject to a fine or the penalty of limitation of liberty."

The Tor exit node used by the person who allegedly wrote the problematic post is run by Thomas White, better known as TheCthulhu on Twitter, where his bio reads:

It will therefore come as no surprise that White is unsympathetic to the request by the District Public Prosecutor's Office in Bialystok. Even better, he has posted part of his statement in reply to that request, which is well-worth reading.
White points out that the Polish law in question seems to violate Article 19 of The Universal Declaration of Human Rights, further enshrined as Article 10 of the European Convention on Human Rights. He says that he accepts the ex-mayor in question may have found a statement about him to be humiliating or offending, but adds:

I have many times felt offended where his political party have made derogatory remarks concerning the LGBT community for example, or where his complaint is an attempt to trample upon the rights of others. The difference is that I seem to have the mental capacity to take the opinions of others on board and reason my views with them to make my points.

White concludes pretty much as you might hope and expect:

I can only reaffirm my position that I have no intention of assisting with the request from the Polish authorities

Of course, the great thing about Tor is that White couldn't help the Polish authorities even he wanted to, since he was just operating the exit node, and knows nothing about the origin of the Tor traffic he facilitates. The sooner governments learn this basic fact, the sooner they can stop wasting time and resources trying to extract information from people that don't have it.

from the good-luck-with-that dept

It would appear that Congress is not so happy that the State Department is a major funding source for the Tor project. Tor, of course, is the internet anonymyzing system that was originally developed with support from the US government as a way to promote free and safe access to the internet for people around the globe (mostly focusing on those under threat in authoritarian countries). Of course, other parts of our government aren't huge fans of Tor, because it doesn't just help activists and dissidents in other countries avoid detection, but also, well, just about anyone (except on days when the FBI decides to hack their way in).

There has, of course, always been some tension there. There are always the conspiracy theorists who believe that because Tor receives US government funding it is by default compromised. Those tend to be tinfoil hat wearing types, though. The folks who work on Tor are not exactly recognized for being particularly friendly to intrusive government surveillance. They tend to be the exact opposite of that. And, of course, part of the Snowden revelations revealed that Tor was one tool that still stymied the NSA in most cases.

But it appears that Congress may be quietly trying to undermine this. On Friday, Politico had a tiny blurb in passing about how the latest State Department appropriations bill making its way through Congress includes some references to stopping "circumvention technologies" from being used by bad people. The Politico report suggests this is designed to apply more broadly to encryption, but reading the specifics it appears to be targeted straight at Tor. Here's the Senate report on the appropriations, where it discusses funding related to "internet freedom."

That, of course, was the reasoning behind Tor in the first place, but here Congress is now trying to put some limitations on what the State Dept. can do with its funds, including demanding that it seek out ways to stop bad guys from using technology like Tor. In the report, it's described this way:

...the Committee requires that spend plans submitted
by the Department of State and BBG pursuant to section
7078(c) of the act include a description of safeguards to ensure that
circumvention technologies are not used for illicit purposes, such as
coordinating terrorist activities or online sexual exploitation of children.

In the full bill, the key section notes that the funding shall only be available for internet freedom after efforts are made to stop bad people from using the tools.

... made available for the research and
development of new tools or techniques authorized in paragraph (A) only after the BBG CEO,
in consultation with the Secretary of State and
other relevant United States Government departments and agencies, evaluates the risks and
benefits of such new tools or techniques, and
establishes safeguards to minimize the use of
such new tools or techniques for illicit purposes.

In case you're wondering, the "BBG CEO" is the CEO of the Broadcasting Board of Governors, the US government agency that manages media efforts around the globe, such as the Voice of America.

Make no mistake, this appears to be an attempt to sneak in an attack on Tor via Congress into the State Dept. Tor has been developed to provide the best absolute anonymity/privacy tools for people using the internet -- with the acknowledgement that it can be misused, because the people developing it recognize that the best way to protect the vast majority of its users is to build a system that is truly secure -- not one that artificially tries to limit its uses. Hopefully, this provision is changed, or else it may be eventually leveraged as a way to attack Tor, to attack Tor's funding and try to get the State Department to stop supporting such useful projects.

Mozilla now seeks to intervene in relation to the Government’s pending Motion to request modification of the Order, or in the alternative, to participate in the development of this issue as amicus curiae in favor of neither party, for the purpose of requesting that the Court modify its Order to require the government to disclose the vulnerability to Mozilla prior to disclosing it to the Defendant. Absent great care, the security of millions of individuals using Mozilla’s Firefox Internet browser could be put at risk by a premature disclosure of this vulnerability. This risk could impact other products as well. Firefox is released under an open source license. This means that as Firefox source code is continuously developed, it is publicly available for developers to view, modify, share, and reuse to make other products, like the Tor Browser. The Tor Browser comprises a version of Firefox with some minor modifications to add additional privacy features, plus the Tor proxy software that makes the browser’s Internet connection more anonymous.

With the Tor browser being built on the Firefox framework, any exploit of Tor could affect vanilla Firefox users. Not only that, but the FBI is apparently sitting on another Firefox vulnerability it used in a previous investigation to unmask Tor users. (This refers to the FBI's 2012 child porn sting, which also used a NIT to obtain information about visitors to a seized website.) The filing notes the FBI has been less than helpful when approached for info about this Firefox/Tor-exploiting NIT.

Mozilla has contacted the Government about this matter but the Government recently refused to provide any information regarding the vulnerability used, including whether it affects Mozilla’s products. Accordingly, Mozilla requests that the Court modify its order to take into account how such disclosure may affect Mozilla and the safety of the several hundred million users who rely on Firefox.

Mozilla wants to see this information two weeks before it's disclosed to the defendant so it can patch the hole. While it's not unopposed to the information being turned over to the defendant, this headstart would allow it to fix the vulnerability before it becomes public knowledge and turned into a weapon to be wielded against millions of Firefox users.

There's a Fifth Amendment implication here as well: the due process right of third parties to act on behalf of properties or interests affected by criminal investigations or court decisions.

To consider the weight of Mozilla’s interests, this Court must determine whether the Exploit to be disclosed takes advantage of an unfixed Firefox vulnerability. If it does, Mozilla will suffer harm if the Court orders the government to disclose the vulnerability to the Defendant under the existing protective order. Likewise, Mozilla continues to suffer harm by the Government’s refusal to confirm at this point whether Firefox is the target of the vulnerability. [...] Due process compels this Court to hear Mozilla’s arguments and consider its interests before rendering a decision.

The proposed protective order doesn't do enough to prevent discovery of the vulnerability, according to Mozilla.

The protective order does not contain restrictions on disclosing knowledge learned through examining NIT Protected Material. This alone marks a serious deficiency in the Protective Order as the damaging information about the vulnerability is likely something that someone can easily remember. Rather, the Protective Order’s disclosure restrictions are limited to the further distribution of the copies of information the defense receives from the government. Without more restrictive provisions, the protective order relies too heavily on the Defendant’s representations he and his defense team will not share copies, but not on any explicit agreement that they will not share or use information learned or that they will put security safeguards in place

Not that the NIT's specifics are necessarily secure if the court refuses to order disclosure to Michaud or Mozilla. The declaration entered by defendant Jay Michaud's expert witness points out that the previous use of the NIT in the 2012 case resulted in the FBI turning over information about the exploit to the defendant. So, there's precedent for disclosure, which is what Michaud's lawyer is demanding. But there's also evidence the FBI is hardly the best repository for exploits and vulnerabilities.

The Cottom case, which also involved an FBI NIT, provides a helpful comparison. In Cottom, the government agreed to cooperate with the defense's discovery requests. However, the FBI later reported to the Nebraska court that it had lost part of the NIT source code. Given the potential harms and security issues the government has raised in connection with the disclosure information, the FBI's loss of NIT code in Cottom is still hard to understand. But there at least the government did not dispute the defense's need to analyze all of the available components and code to prepare pre-trial motions, a Daubert challenge, and potential trial defenses.

Hard to understand, indeed. How does someone lose "part" of an exploit's code, especially considering the FBI's obvious interest in deploying it in other investigations? Might just be stupidity, but considering its evidentiary implications and the FBI's extreme reluctance to expose "means and methods," it also smells a bit of maliciousness.

While Mozilla's attempted intervention may force the FBI to turn over information on its NIT, it's unlikely to be much of a direct benefit to Michaud. His lawyer is opposed to Mozilla's request for exploit info and its offer to appear as an amicus in support of Michaud's motion to compel. His filing notes that while Mozilla is not opposed to the FBI also turning over this information to Michaud, he and his client have no interest in returning the favor should the court side with Michaud, rather than Mozilla.

Mr. Michaud has no stake in Mozilla’s dispute with the Government. Further, the defense has no intention of disclosing any NIT discovery to Mozilla, a third party, or the public in general under any circumstances. To the extent that Mozilla is concerned that the existing NIT protective order does not provide “adequate safeguards” (dkt. 195 at 12), the defense has stated that it is amenable to any and all additional security measures and modifications to the existing NIT protective order that the Court deems appropriate.

Not an unreasonable response, as Michaud's lawyer's ultimate duty is to serve his client, not millions of Firefox/Tor users. As for the government, it's likely incredibly irritated that its super-secret tool is gaining it no traction in supposedly open-and-shut child porn prosecutions. Not only are courts finding the warrants used to perform this extrajurisdictional searches invalid from word one, but defendants are pushing back hard against the FBI's "investigative methods" secrecy and dismissive attitude towards the Fourth Amendment. I'm sure it had no idea it would be 198 documents deep into a single child porn case at this point -- much less being nowhere closer than day one to securing a conviction.

from the not-cool-fbi dept

Isis Agora Lovecruft is a lead software developer for Tor and has worked on Tor for many years, as well as on a variety of other security and encryption products, including Open Whisper Systems and the LEAP Encryption Access Project. And, apparently, the FBI would really like to talk to her, but won't tell her (or her lawyer) exactly why. It's really worth reading her whole post, which starts with an FBI agent showing up at her parents home and leaving a card, and then later phoning her mother's cell phone while she was at work a few days later. Lovecruft had a lawyer reach out to the FBI agent in question, which resulted in an odd discussion:

Word got to my lawyer in the US, who decided to call FBI Special Agent Mark Burnett, on that Friday, saying that he represented me and my family. Burnett said the FBI simply wanted to ask me some questions. My lawyer responded by stating that, as my invoked representation, all questions should be directed to him rather than to me or my family. The agent agreed, paused while some muffled male voices were heard in the background, and asked to call back in five minutes.

Five minutes later, Burnett called back and said, “I don’t believe you actually represent her.” Burnett stated additionally that a phone call from me might suffice, but that the FBI preferred to meet with me in person. After a pause he said, “But… if we happen to run into her on the street, we’re gonna be asking her some questions without you present.”

Complicating matters was the fact that Lovecruft was deep into the process of moving permanently to Germany, and actually had just been visiting her family in the US. She worried about whether or not she'd even be able to leave, though eventually flew back to Europe without incident. She notes that once back in Germany, she was focused on getting all the documentation in order to get her official residence visa in Germany when the FBI again came looking for her:

The day before my appointment, I spoke with
my lawyer. He had received another call, this time from a FBI Special Agent
Kelvin Porter in Atlanta.

Lawyer: Hello?

Agent: Hello, this is Special Agent Kelvin Porter at the FBI field
offices in Atlanta. I’m calling concerning your client.

Lawyer: Yes. Why are you trying to contact her?

Agent: Well… as before… we would strongly prefer to meet her in person. We
have teams in Los Angeles, San Francisco, Chicago, New York, and
Atlanta keeping an eye out for her.

Lawyer: Your colleague mentioned last time that you would accept a phone call?

Agent: We would strongly prefer to meet her in person. We… uh… have some
documents we’d like her opinion on.

Lawyer: Umm…? What documents?

Agent: Anyway, if she’s available to meet with us, that would be great, thanks.

It didn’t exactly help with the stress of applying for a residence visa to
know that there were teams in five cities across America keeping an eye out
for me. However, I’m glad to say that, the next day, my residence visa was
approved. Eight hours afterwards, my laywer received a voicemail saying:

Agent: Hello this is Special Agent Kelvin Porter, we spoke two days ago
regarding your client. Umm… well… so the situation with the
documents… it’s umm… it’s all fixed. I mean, we would of course
still be happy to meet with your client if she’s willing, but the
problem has… uh… yeah… been fixed. And uh… yeah. Just let us know
if she wants to set up a meeting.

So, that seemed to settle things for the time being -- though still made her nervous. That last conversation happened in January. But it appears that last week, the FBI came knocking again, and apparently said they want to serve her with a subpoena.

The FBI has contacted my lawyer again. This time, they said, “She should meet with one of our agents in San Francisco to talk. Otherwise, are you the point of contact for serving a subpoena? She’s not the target of investigation, but, uh… we uh… need her to clear up her involvement or… uh… potential involvement in a matter.”

She's (reasonably) worried that whatever the FBI is planning to ask her about or serve her with comes with a gag order and she won't be able to speak about it. She also notes that she's got a personal warrant canary, which might be worth watching for obvious reasons.

But, honestly, the part that struck me as most interesting about all of this is the incredible amount of stress that this obviously caused for her. It doesn't matter if the FBI says she's "not a target," having the FBI come looking for you can really shake you up. Especially when they won't provide any details:

I didn’t talk to anyone who wasn’t already in regular contact with me, fearing I might endanger them — some thug might show up at their mom’s door or make some threats to their lawyers — and I didn’t want to risk harming people I care about. It hurt to not tell my friends what was happening. I felt gagged and frightened. I wanted to play chess in the park. I wanted to learn duets on the piano. I wanted to ride bicycles through the ancient groves in the park in the endless Californian sunshine. I wanted to bring homemade vegan gluten-free brownies and stickers from collectives in France to my friends at the EFF. To be selfish, I wanted to read the number theory papers I’d just downloaded and play with a new pairing-based cryptography library I’d just been given the source to, but I couldn’t do those things either, simply because I was too stressed out to think straight.

I got absolutely no work done.

That, right there, is a clear description of the chilling effects that this kind of thing can cause. And that's a shame. As she later notes, her paychecks for working on Tor come from the US government. She's not a spy or a criminal. She's working on software that makes everyone safer. And no matter what the reason for the FBI's interest, it's ridiculous that someone should have to go through this kind of process.

from the above-the-law? dept

There are a bunch of different cases going on right now concerning the FBI secretly running a hidden Tor-based child porn site called Playpen for two weeks, and then hacking the users of the site with malware in order to identify them. The courts, so far, have been fine with the FBI's overall actions of running the site, but there are increasing questions about how it hacked the users. In FBI lingo, they used a "network investigative technique" or a NIT to hack into those computers, but the FBI really doesn't want to talk about the details.

In one case, it was revealed that the warrant used by the FBI never mentions either hacking or malware, suggesting that the FBI actively misled the judge. In another one of the cases, a judge has declared the use of the NIT to be illegal searches, mainly based on jurisdictional questions (the warrants were for Virginia, but the individuals were far away from there).

In yet another case, the one involving Jay Michaud -- his lawyers have now told the court that the DOJ has made it clear that despite the court ruling earlier this year that the FBI must reveal the details of the NIT/hacking tool, it will not do so (first revealed by Brad Heath). The redacted filing is in response to a (sealed) motion for reconsideration by the DOJ, but reveals more or less what the DOJ said in that filing:

If you can't see that, the relevant portion reads:

The Government has now made plain that the FBI will not comply with the Court's discovery order... [REDACTED]... The Government further acknowledges that "there may be consequences for this refusal." [REDACTED] Pursuant to the law discussed below, the consequences are straightforward: the prosecution must now choose between complying with the Court's discovery order and dismissing the case.....

The dilemma is one entirely of the Government's own making, and nothing in its Motion for Reconsideration or renewed requests for secret proceedings changes the analysis.

The filing goes on to point out how the FBI has similarly been refusing to reveal details of its Stingray mobile phone surveillance tools (something we've discussed here quite a bit), leading to convictions being overturned. As Michaud's lawyers point out, the situation here is basically the same. If the FBI refuses to obey a court order, then the case should be dropped.

As the Maryland court observed, the FBI’s obstruction of disclosure “from
special order and/or warrant application through appellate review – prevents the court
from exercising its fundamental duties under the constitution.” ... “[I]t is self-evident that the court must understand why and how [a] search was
conducted,” and “[t]he analytical framework requires analysis of the functionality of the
surveillance device and the range of information potentially revealed by its use.” ... These conclusions mirror the conclusions reached by this Court
at the February 17 hearing.

The filing also highlights how important it is to get the details, noting that the FBI has a history of incorrectly raiding homes because it doesn't understand how Tor works:

The Government’s refusal to comply with the discovery order is all the more
untenable given the exceptional technical complexities that are involved with the Tor
network and the FBI’s use of sophisticated hacking “techniques.” Just a few weeks
ago, Seattle police raided the home of two people who use the Tor network, based on an
allegation that their IP addresses had been linked to child pornography, when in fact
illicit traffic had merely passed through their connection to the network.....

But perhaps even more amusing, the lawyers point out how the DOJ/FBI's claims here run exactly counter to the DOJ/FBI's arguments about Apple's obligation to respond to the DOJ's court order to help unlock encrypted phones:

Their complaint is that the DOJ said that Apple could use a secure location to keep the code safe, but rejects such a solution here -- but the comparison could go even deeper. After all, the DOJ kept saying that Apple was acting as if it was above the law in telling the FBI that it would not write special software to help break into a phone. Yet, here, the request is much more straightforward. The FBI doesn't have to write any new code at all... it just has to reveal what it has been told to reveal by a court: the software it used to hack into someone's computer.

Of course, there's also the fact that because of the whole Apple/DOJ fight, Senators Dianne Feinstein and Richard Burr started pushing a bill to ban encryption that opens with the following:

Somehow, I get the feeling that both Feinstein and Burr will feel differently when it's the FBI/DOJ refusing to comply with court orders, and will claim the government is correct here. I wonder if anyone else in the Senate will now release a companion bill to the Burr/Feinstein bill suggesting that the DOJ itself should start complying with court orders, as it is not "above the law."

from the TASE-THAT-ROUTER dept

An IP address is not a person, even less so if said IP address traces back to a Tor exit relay. But that's not going to stop the "authorities" from subjecting people with no knowledge at all of alleged criminal activity from being subjected to raids and searches.

It happened in Austria. Local police seized a bunch of computer equipment from a residence hosting a Tor exit node. ICE -- boldly moving forward with nothing more than an IP address -- seized six hard drives from Nolan King, who was also running a Tor exit relay.

Those more familiar with Tor suggested ICE's "upon information and belief" affidavit statements should probably include at least a little "information" and recommended law enforcement check publicly-available lists of Tor exit nodes before conducting raids based on IP addresses. ICE, however, vowed to keep making this same mistake, no matter what information was brought to its attention.

"They were there because I run a Tor exit relay," he says. Tor (which stands for The Onion Router) is a system that allows people to surf the Internet anonymously. It's sometimes referred to as the "dark Web," and it relies on Internet connections provided by volunteers like Robinson.

Robinson said the Seattle PD "should have known" he couldn't "see" the traffic passing through his node and that relay was little more than a "post office:" something anyone can use, even criminals, to send and receive information.

Considering he's depicted as a "prominent privacy activist," Robinson "should have known" a few things himself. This is not the correct response to a 6 a.m. visit by misguided police officers.

[W]hen Seattle police showed up at David Robinson's home shortly after 6 a.m. last Wednesday, he figured he had little choice but to let them in and hand over all his computer passwords.

That's no way to handle the police. Of course, they did present Robinson with a bad/worse proposition.

Instead of impounding all of Robinson's computers, which the warrant would have allowed, they offered to search them on the premises as long as he consented to turning over his passwords. He did, and they let him keep his machines after they scanned them.

On-site imaging: now a thing thanks to extremely cheap, portable storage. Still, that's not much comfort to Robinson, who no longer trusts his computers.

Given his early morning wake-up call last week and the fact that he may now have to get rid of his computers because he can't be sure what the police did to them while he was being questioned outside his apartment, Robinson says he may have to reassess whether it's practical for him to [continue running Tor relays].

It would be a lot more practical if law enforcement didn't assume "IP address" = "smoking gun." It also would help if people -- including politicians -- didn't assume just because something's not visible, it must be criminal. As has been pointed out before, Tor Project publishes a list of publicly-available exit relays and anyone can access that list -- even law enforcement. Courts have declared, on multiple occasions, that an IP address is not a person. I guess those logical conclusions have yet to trickle down to law enforcement level.